11:02 pm (UTC-7) | by Ben April (Threat Researcher)
At the risk of sounding repetitious, there is yet another basic internet protocol that is seeing increased use in distributed denial of service (DDoS) attacks. This time it is NTP, or the Network Time Protocol. It’s not nearly as well known as DNS or HTTP, but just as important. NTP is used to synchronize the time across multiple networked devices – without it, we’re back to the days where setting the time on your computer had to be done manually. A solution to these attacks has been known for ten years, but unfortunately has not seen widespread adoption.
The main function of NTP is to distribute the time from high precision sources such as GPS or cesuim clocks to compatible devices. I’m sorry to have to tell you this, but the clock inside your computer sucks. Quartz crystal based clocks usually have an error-rate of about 1 ppm (part per million), or the loss or gain of one microsecond per second. This translates to about a half second of clock-drift per month, which doesn’t sound all that bad.
Unfortunately, we don’t know which way the clock is drifting at any given time and slight temperature changes can really throw quartz crystals for a loop. In addition, in that half second a 1GHz processor (slow by modern standards) has undergone 500 million clock cycles. With clustered and distributed systems, having a good idea what time it is becomes critical.
NTP peers exchange UDP packets to compare notes about what time they think it is. A well-configured client will look to three or more peers with better time accuracy then it has. When a peer further from a reference clock believes that its time is no longer accurate, it will make a tiny correction to its clock rate. This allows the system time to change slowly, so that any running software won’t be disrupted. It’s a straightforward solution to an important problem.
Unfortunately, miscreants are using this critical service to launch DDoS attacks. NTP servers are generally public facing, and will often accept connections from anyone. There is a monlist command that can be sent via UDP to an NTP server that will ask the server to reply with the peers it has recently had contact with.
This is useful for troubleshooting, but it’s a perfect tool for attackers. Send a small packet with the source address forged to your target and the server will happily send your target a nice blob of data. The busier the server, the more the attack is amplified.
IT administrators can do some things to avoid becoming an inadvertent accomplice for these attacks. (One thing that will not solve this problem is IPv6, as NTP also functions over it.) First, disable unused services. You would be shocked to know how many systems out there still offer chargen. If a computer is not acting as an NTP server, it does not need to be running the NTP server software. This goes for other unused services and protocols as well.
Second, consider your configuration of the services you do run. It turns out that at least in the versions of NTP I have here, the monlist command is enabled by default. Unfortunately, this takes time and research on the part of users to find out the risks of every option. A better solution is for applications to provide sensible and secure defaults.
Third, and most importantly, IP spoofing should be detected and blocked at the network edge. Implementation of BCP-38 often sounds impossible, but it is really not that bad. I know of global backbones that had it in use ten years ago. The key is to focus only on the network edge (this will not scale if done in the core).
The simplified version is to configure your edge routing devices to only allow incoming packets from an interface IF a reply to that packet could reasonably be routed to that interface. Not only does this prevent NTP, chargen and DNS spoofing attacks from using your network assets to attack others, it prevents all IP spoofing that would cross your network.
Protocol whack-a-mole is getting old. BCP-38 is to Internet security what hand-washing is to medicine. As more networks become compliant, your security resources can divert their resources from DDoS attacks and start to focus on problems that we don’t have good solutions for yet.
BCP-38 was published in May 2000. We have known how to remove most current DDOS activity for over 13 years! While it is free ‘as in beer’, it does require technical resources to implement. Consider the savings, however, when you can be confident that your network is NOT participating in a spoofed DDoS attack?
Unfortunately, implementation of BCP-38 only prevents your assets from being used in an attack. It does not prevent you from being attacked. Spread the word and encourage others to practice good Internet hygiene as well, and perhaps these spoofing attacks can be minimized in the long run.
Update as of 01:00 PM PST, February 27, 2014:
We have released new Deep Security rules that provide protection against this vulnerability, namely:
- 1005907 – NTP Server Unrestricted Query Reflected Denial Of Service Vulnerability
- 1005910 – Identified ntpd ‘monlist’ Query Reflected Denial Of Service Attack
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.
Share this article